I've spent a few weeks investigating how we can use open source tools to provide basic vulnerability assessment functionality within a small ISO 27001 scope (less than thirty systems). The more sophisticated and expensive and commercial products are great, but before we investigated their use I wanted to see what we could get on a limited budget (mostly my time).